Combining Cyber Standards – Is ‘Unified’ Always A Good Approach?
The CMMC enforcement model will require a significant adjustment to the way contractors conduct government business – from procurement to execution. In Part 2 of this series, I discussed the possible impacts of having your company’s security rating made public. In Part 3, I would like to discuss the impact of having one unified standard for cybersecurity on a company’s compliance practices.
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard. In the complex world of cybersecurity, standards are good and have been sorely needed in both the government and commercial worlds, specifically when it comes to managing supply chain risk. Keeping standards simple enough for any organization to comply with is equally important.
Add your view to our Twitter poll: https://twitter.com/TripwireInc/status/1178965553022668802 From my perspective, here are the pros and cons of the CMMC’s unified approach: PROS:
- For organizations that currently don’t need to comply with any given mandate, the CMMC’s unified approach is good because it can identify an appropriate level of maturity for the organization’s compliance program, and it will help identify an appropriate level of resources -- preventing over- or under-investment in compliance.
- The DoD is the first to define a security framework that can be used throughout the entire supply chain. As commercial organizations incorporate services into their solutions, supply chain security is becoming more and more of a concern. This DoD supply chain framework might just be a framework that organizations can leverage across industries when customers start asking about the organization’s security posture.
CONS:
- Unless an organization’s client portfolio includes all U.S. DoD agencies, the CMMC approach means that it will have to comply with one standard for DoD customers and other standards for non-DoD customers (including civilian agency customers, until such time as the CMMC is adopted governmentwide). While many of the controls might overlap, it’s still another audit and regulatory scheme that your governance, risk and compliance team will have to manage.
- While having to meet specific DoD requirements is nothing new for contractors, meeting the CMMC standard will equate to an additional layer of compliance and reporting investment.
- The CMMC is going to require certification audits, so organizations may need to adopt additional tools in support of the DoD’s auditing requirements.
So, will the CMMC’s unification of standards change an organization’s approach to compliance? Yes, but to varying degrees and cost. For the large primes and fast 50…they are probably already complying with a broad scope of controls, so transitioning to the CMMC’s unified standard likely won’t be a heavy burden. For the small manufacturer of military vehicle hardware or another small organization in the DoD supply chain that doesn't’t already have a governance and compliance management program in place, this a great opportunity to get one in place -- one that is scaled to an appropriate maturity level. The nice thing about the CMMC is that it is designed not to be an onerous regulatory scheme. For everyone else, it might be a good time to consider reprioritizing your company’s sales strategy to non-DoD markets. Missed the first two parts? Catch up here: Read Part 1 here. Read Part 2 here.